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O ■ Abstract 
(N ■ 

Wc consider an instance of the following problem: Parties Pi, . . . , Pk each receive an input Xi, 
and a coordinator (distinct from each of these parties) wishes to compute f(xi, . . . , Xk) for some 
predicate /. We are interested in one-round protocols where each party sends a single message 
to the coordinator; there is no communication between the parties themselves. What is the 
. minimum communication complexity needed to compute /, possibly with bounded error? 

We prove tight bounds on the one-round communication complexity when / corresponds to 
the promise problem of distinguishing sums (namely, determining which of two possible values 
the {xi} sum to) or the problem of determining whether the {xi} sum to a particular value. 
Similar problems were studied previously by Nisan and in concurrent work by Viola. Our proofs 



u 
u 

rely on basic theorems from additive combinatorics, but are otherwise elementary. 



CN ! 1 Introduction 

> 

Consider the following general problem: There are k parties P±, . . . , Pk, with each party Pj holding 
' input Xi. A central coordinator (distinct from each of the parties) wants to learn f(x±, . . . , x k ) 

for some fixed boolean function (or partial function) /. We are interested in one-round protocols 
where each party sends a single message to the coordinator and the coordinator then computes the 
result; there is no communication between the parties, nor does the coordinator send anything to 
the parties. A trivial solution, of course, is for each party Pj to send Xi to the coordinator, who then 
applies / to the complete set of inputs and thus obtains the correct result. For which functions / 
can the total communication complexity be reduced, possibly with bounded error? 

Let G denote an abelian group and assume each party's input lies in G. We study the commu- 



& ■ nication complexity of two (related) functions in the model described above. 

Definition 1. Fix distinct go,gi £ G. The k-party Sum-Distinguish problem (relative to go,gi) 
is defined by letting f be the partial function given by 



f(xi, . . .,x k ) 



1 */ Ei x i = 9i 
V Ei x i = 9o 



Definition 2. Fix g € G. The k-party Sum-Equal problem (relative to g) is defined by letting f 
be the function given by 

1 if Yji x i = 9 
otherwise 



f(xi, ...,x k ) 
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We explore the communication complexity of solving the above for G = Z p (p prime) and 
G = Z0 Our proofs rely on the generalized Cauchy-Davenport Theorem, but otherwise use only 
elementary arguments. Our results can be summarized as follows: 

• For Sum-Distinguish with G = Z or G = Z p , p prime, we show a deterministic protocol with 
total communication complexity klogk + 0(k); note that the communication in the latter 
case is independent of p. For G = Z p , we prove a lower bound of k ■ minjlog k, logp} — k on 
the communication complexity of any deterministic protocol. 

• For Sum-Equal with G = Z or G = Z p , p prime, we show a protocol using public random- 
ness with error e and total communication complexity klogk/ e + 0{k). A lower bound (for 
deterministic protocols and G = Z p ) is implied by our lower bound for Sum-Distinguish. 

We also briefly consider the case G = Z^r for square- free N. 

1.1 Motivation 

The problems above are natural in the number-in-hand model of multi-party communication com- 
plexity, and variants of the Sum-Distinguish and Sum-Equal problems have been considered in 
prior work [HI HI [5j [10] , sometimes for k = 2 only. (We survey prior results in the next section.) 

Our motivation, though, comes from the domain of distributed intrusion detection. The goal of 
distributed intrusion-detection systems (DIDS) is to monitor a network across a number of hosts 
in order to detect aberrant behavior (indicating a potential intrusion) and, if detected, raise an 
alarm. In typical operation of DIDS, each host records some observations over a specified time 
period; at the end of this period, each of those hosts sends all the data it has recorded to a central 
coordinator, which then determines — based on the aggregate data from all the hosts — whether 
or not to issue an alarm. In some systems (e.g., when the hosts are geographically distributed, 
when communication is over a low-bandwidth channel, and/or when the volume of data recorded 
at each host is huge), reducing the communication becomes critical. While there has been some 
work aimed at reducing the communication complexity of DIDS [2j[9l[6], we are not aware of any 
prior theoretical study of the problem. 

If we model the decision of the coordinator by some predicate / computed over the data 
Xi, . . . , ccfc recorded by each host, we recover exactly the general problem being considered here. 
(For the application to distributed intrusion detection, direct communication between the hosts 
would typically be impossible, and it would be undesirable for the coordinator to have to send data 
to the hosts.) While Sum-Distinguish and Sum-Equal are too simplistic to capture real-world 
decision procedures, they were chosen to correspond to the "DIDS-like" problems of distinguishing 
between a "good" system state <?o and a "bad" system state g\ (in the case of Sum-Distinguish), 
or identifying when the system is in one particular "bad" state g (in the case of Sum-Equal). 

1.2 Prior Work 

For the case of Sum-Equal with G = Z and where each party's input is an n-bit integer, Nisan [7] 
shows a randomized protocol with total communication complexity O(fclogra). Our deterministic 
protocol achieves better communication complexity A; log A; + 0{k) when k < n. In concurrent and 

1 In the first case, each party's input is an arbitrary element of Z p ; in the second case, each party's input is an 
n-bit integer, with n being an additional parameter of the problem. 
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independent work, Viola [10] studies Sum-Equal with G = Z p , and shows ©(/clog A;) upper and 
lower bounds on the communication complexity for certain ranges of k and p. Our protocols for 
Sum-Equal achieve similar bounds for more general k,p, and using different tools. 

Our protocols use a direct, combinatorial perspective that (along the way) explores a new 
connection between communication complexity and additive combinatorics that may be appealing 
in its own right. It will be interesting to explore other connections between these fields. 

1.3 Organization 

In Section [21 we recall the necessary preliminaries from additive combinatorics. In Section [3l we 
prove upper and lower bounds for the Sum-Distinguish problem over Z p . In Section HI we give 
a randomized protocol for Sum-Equal over Z p . In Section [5l we show how our protocols can be 
extended to work over Z or Z^v for m the product of few primes. 

2 Preliminaries 

We let G denote an abelian group, written additively. Z denotes the integers, and Z p is the group 
{0, . . . ,p — 1} under addition modulo p. We use "log" to refer to logarithms base 2. 

2.1 Tools from Additive Combinatorics 

We utilize two well-studied, fundamental objects from additive combinatorics: sumsets and arith- 
metic progressions. 

Definition 3. For (not necessarily distinct) sets A±, . . . , A\. CG, define their sumset as ^f=i = 



obtainable by choosing one element from each set Ai. 

In our constructions we use sumsets of arithmetic progressions, i.e. sequences of integers with 
common difference D. We refer to these as D-APs. 

Definition 4. Fix a prime p and a difference D ^ mod p. For any b € {0, ... ,D — 1}, let 



denote the D-AP in Z p with base b. 

Note that we only consider D-APs of maximal size with no "wrap-around"; i.e., the base b is less 
than D, and the progression contains b + iD for all z > with b + iD < p. As an example, the 
maximal 7-APs in Z19 are 




That is, Y2i Ai is the set of all possible sums 




A (0) = {0,7,14}; = {1,8,15} A {2) = {2,9,16} 

A (3) = {3, 10, 17}; A (4) ={4,11,18}; A {5) = {5, 12}; A (6) = {6, 13}. 



For our lower bounds, we use the generalized Cauchy-Davenport Theorem [HE]. 
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Theorem 5 (Generalized Cauchy-Davenport Theorem). For a prime p, and k (not necessarily 
distinct) nonempty sets A\, . . . , C Z p; 

Eti A \ > min {p> Ei=i \Ai\-k + i}. 

For our constructions, we rely on the fact that sumsets of D-APs achieve the above minimum. 
Lemma 6. For a prime p, and k (not necessarily distinct) D-APs A%, ...,Ak C 7L V , 

EtiA^minjp, Eti + 

Proof. We prove the lemma for k = 2; the general case follows by induction. Let A, B denote the 
two sets in question. By Theorem we have |A + i3| > min{p, \ A\ + \B\ — 1}. It remains to upper 
bound \A + B\. 

Write A = {b A + %D | < i < \A\}, B = {b B + i'D | < i' < \B\} with < b A , b B < D. Then 

A + B = {b A + b B + Di + Di'modp | < i < \A\, <i' < \B\} 
= {b A + b B + Di" mod p | < i" < \A\ + \B\ - 2} . 

So \A + B\ contains at most \A\ + \B\ — 1 elements, giving the desired bound. □ 
2.2 Notions of Distance and Contiguity 

In Section WT\ we use a notion of distance between two elements go, g\ € 7L p . Specifically, we define 
their distance relative to some difference D to be the minimum number of additions or subtractions 
by D (modulo p) needed to map go to g\. We define this formally next. 

Definition 7. Fix a prime p and a difference D ^ mod p. For any go, g± £ Z p , define the distance 
from go to g\ (relative to p, D) as 

dist PijD (50,51) = f min {(51 - g )D~ 1 modp, (g - g^D^ 1 modp} . 

(The minimum is taken by viewing each term as an integer in {0, . . . ,p — 1}.) 

We say go,gi € Z p are adjacent (with respect to dist Pj £i) if dist Pi £j(go, gi) = 1- We say a set 
A C 7L V is contiguous (relative to D) if it can be ordered so that all adjacent elements in the 
ordering are adjacent with respect to dist Pi £>. When \A\ = 1, A is vacuously contiguous. Clearly 
D-APs are contiguous; we observe that sumsets of D-APs are also contiguous. 

Lemma 8. Fix a prime p, difference D ^ mod p, and any D-APs A\,...,Aj i C Z p . Then 
X^i=i Ai is contiguous relative to D. 

Proof. From the proof of Lemma O for any D-APs A and B we have 

A + B = {b A + b B + iD mod p | < i < \A\ + \B\ - 2}, 
which is contiguous by definition. Induction on k completes the proof. □ 

Corollary 9. Fix a prime p, difference D 7^ mod p, and D-APs A±, . . . , A^ C Z p . For any 
g ,gi <£ Z p , if d\st PtD (g ,gi) > \ Y,i=i A i\ then g and gi cannot both be in Yn=iAi- 

Consider again the example of Z\g with D = 7. Then A^ 2 ) + ^4(3) = {2, 9, 16} + {3, 10, 17} = 
{5, 12, 0, 7, 14} is contiguous, and \Ar 2 \ + Ai$, \ = 5. Taking 2,5 £ Zig, we have distigj(5, 2) = 5 > 
1-4(2) + -4(3)1 an d, indeed, 5 <E A( 2 ) + -4 (3 ) but 2 A (2 ) + A$y 
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3 Sum- Distinguish over Z p 



3.1 A Deterministic Protocol 



Corollary [9] suggests a technique for efficiently distinguishing two sums. Say k parties wish to 
determine whether their inputs x±, . . . , x\. sum to go or g\ (modulo p). For some fixed, agreed-upon 
difference D (we discuss how to set D below), each party Pi sends to the coordinator the index of 
the D-AP Ai in which its input Xi lies. The coordinator thus learns that the sum Y2i x i nes m the 

sumset A = f Yli=i A%. As long dist Pi £)(<7o, 9i) > \A\, it cannot be the case that both go and g\ are 
in A; in that case, the coordinator learns the sum by checking which of go,gi lies in A. 

The main difficulty in implementing the above is that go, g\ may be very "close." In that case, in 
order to ensure that the above succeeds we need to ensure that \A\ is small. This, in turn, requires 
the D-APs to be small, which means that there are more of them. Since the communication from 
each party is the logarithm of the number of D-APs, this makes the communication complexity 
worse. Ideally, we would like to set D independently of the relative distance between go and g\. 

A solution is to have the parties "shift" their inputs by each locally multiplying them (modulo p) 
by an agreed-upon constant c. The problem then reduces to distinguishing whether the shifted 

inputs sum to g' d = c • go mod p or g[ d = c ■ g\ mod p. The insight is that regardless of go,gi, we 
can set c appropriately to ensure that g' Q and g[ are "far apart." 

We proceed with the details, beginning with some preliminary lemmas. 

Lemma 10. Fix a prime p > 2 and a difference D ^ mod p. Then for any distinct go,g\ € Z p 
there exists a value c/0 mod p such that dist P) £)(c ■ go mod p, c ■ g\ mod p) = ^ P 2 1 ^ . 



Proof. Set c 



(p-i) 



D(gi — go) 1 mod p. Then 
c(g l -g )D- 1 = ^— }l D ( gi - go)- 1 ( 9l - g )D' 1 mod _ 



(p-1) 



mod p. 



Since (p — l)/2 < — [p — l)/2 mod p (viewing the right-hand term as an integer in {1, . . . ,p — 1}), 
this completes the proof. □ 



Lemma 11. Fix a prime p > 5, and integer k < p/A. Set D 



2kp 
(P-3) 



< p. Then for any D-APs 



A\ , . . . , Afc C Zp, we have 
Proof. By Lemma [6l 



< 



i=l 



(P-1) 



mm < p. 



J2\Ai\-k + l\. 



Observe that \A-\ < \%\ < % + 1. Therefore, 

k k 



8=1 



i=l 



J2\Ai\-k + l < E(j5 + 1 )- k + 1 



i=i 



< 



D 

kpjpS) = {p-l) 
2kp 2 



completing the proof. 



□ 
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Theorem 12. There is a universal constant C such that for any prime p and positive integer k 
there is a k-party, one-round, deterministic protocol for Sum-Distinguish over Z p having com- 
munication complexity /clog k + C ■ k. 

Proof. There is a trivial protocol having communication complexity k ■ [log p] , so the theorem is 
trivially true if p < 5 or k > p/4. In what follows we therefore assume p > 5 and k < p/A. 

Fix arbitrary, distinct go,g\ € Z„. The protocol for solving Sum-Distinguish relative to go><?i 
is as follows. Set c as in Lemma flOl and D as in Lemma [TTl Party Pj, holding input Xj, computes 

6i = ((c • Xj) mod p) mod .D 

and sends bi to the coordinator. (Note that bi is the base for the D-AP A^ containing c-Xi mod p.) 
The coordinator outputs if c ■ go mod p is in Yli=i ^-{bi)i an d outputs 1 otherwise. 

If J2i x i = 9o m od p then ^ c-Xj = c-<?o mod p, and it is immediate that the coordinator outputs 
the correct answer 0. So, assume instead that ^ Xi = g\ mod p. Then c • g\ mod p is in Y2i A^y 
Since dist Pi £>(c • go mod p,c ■ gi modp) = (p — l)/2 (by Lemma [10]) and — (p ~ (by 

Lemma [TTjh we conclude from Corollary [9] that c • go modp is not in ^i^-(fei)- Hence, in this case 
the coordinator outputs the correct answer 1. 

The communication complexity is exactly k ■ [log D] bits. Since D < + 1 < C • k for some 
constant C independent of p and k, this completes the proof. □ 

Efficient implementation. We note that the coordinator can be implemented to run efficiently. 
(It is clear that the parties can run efficiently.) First note that from bi the coordinator can efficiently 

compute | -4(6^ | = |" P ~d~ 6 ' 1 + It can then compute d = f | = Yli=i \-^(h)\ ~ & + Finally, 

the coordinator can check whether c • go G Yli ^{bi) by computing b* = ^ bi mod p and then 
checking whether (c • go — b*) • D -1 mod p is less than d. 

3.2 A Lower Bound for Deterministic Protocols 

In the following, we consider one-round protocols in which each party always sends exactly t bits to 
the coordinator, for some t. We say any such protocol has per-party communication complexity t. 

The basic idea of the lower bound is as follows. Each message m € {0, 1}* from party Pi, say, 
defines a set Ai tTn of possible inputs x\ (namely, those inputs on which Pi would send m). Given 
the messages mi, . . . ,mfc sent by all the parties, the coordinator learns only that the sum Y2i x i 
lies in the sumset Xli^.m;- If we can show that there exist some mi, . . . ,nik for which Y2« Ai, mi 
contains both go and g±, then there must be some set of inputs on which the protocol outputs the 
wrong result. The crux of the proof is to show that if t is too small, then there exist mi, . . . ,mfc 
for which Yli ^i,mi — and hence the sumset does indeed contain both go and g\. 

Theorem 13. Fix prime p and positive integer k > 1. If t < min{log((/c — l)/2), log(p/2)}, there 
is no deterministic, k-party protocol for Sum-Distinguish over Z p (relative to any go,gi € 
with per-party communication complexity t. 

Proof. Fix some deterministic protocol for Sum-Distinguish over Z p (relative to some go,gi G Z p ) 
with per-party communication complexity t. The protocol defines for each party Pj a partition 
A41, . . . , Ai 2* of Zp, where Aij is the set of inputs which cause Pi to send j to the coordinator. 
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For each party Pi there exists an mi such that I-A^mj > p/2 • Moreover, there is a legal set 
of inputs for the parties such that P\, . . . , Pk-i send mi, . . . ,mk-i, respectively. (Simply take 



Xi G A ijnii for i = l,...,k-l, and then let x k G {# - Ya=1 x ii 9i ~ J2i=i x i}-) When the 
coordinator receives mi, . . . , mt-i then, even if it is additionally given P^'s input X&, the coordinator 
learns only that the sum £\ Xj of the parties' inputs lies in the set x^ + Yli=i ^i,rm • By Theorem 
however, we have 



fc-i 



i=l 



> min < p, 



k ~ 1 P 
^ 2* 

8=1 



D + i 



mm < p 



(k - 1) P 
2* 



k + 2 



If p > k - 1 then t < log((fc - l)/2) and 

(k - l)p 



2' 



/c + 2>2p-/c + 2>p. 



On the other hand, if k — 1 > p then t < log(p/2) and 

(fc - l)p 



In either case, then, we must have 



2* 



k + 2 > k > p. 



> p and so Ya=1 A i,rm 



■>%>■ 

fc-l 



This implies 



that there exist inputs x\,x[ G Ai )mi , . . . , z^-i, o^_ 1 € ^4fc,m fe _i with x& + ^ i=1 Xj = <?o an d 



Xfe + 2^j=i x i = 9i- But then there exists some set of legal inputs for the parties on which the 
coordinator outputs an incorrect result. □ 



4 A Randomized Protocol for Sum-Equal over Z p 

Our protocol for Sum-Equal is similar to our protocol for Sum-Distinguish. Namely, each party 
Pi scales its input Xj by some value c and sends the index of the D-AP Ai that contains the scaled 
value c • Xi mod p; the coordinator outputs 1 iff c • g G Yli Ai- 

Note that the coordinator never errs if £^ x, = g, and so we need only analyze the case when 
^Zi x i 7^ 9- I n the case of Sum-Distinguish, we are guaranteed that Yli x i £ {9o,9i} and so we 
set c to some fixed value such that ego and cg\ are "far apart." The problem here is that Y2i x i 
can be arbitrary. To deal with this, we have the parties select c G Z p uniformly at random using 
the public randomness. If J2i x i = 9* 9 then the protocol will succeed as long as eg and eg' 
are sufficiently "far apart" as before. By setting the parameters of the protocol appropriately, we 
ensure that this happens with high probability over choice of c. 

Lemma 14. Fix a prime p > 2, a difference D ^ mod p, and £ G (0, 1). Then for any distinct 
g,g' G Z p there are at least £ • (p — 1) values c ^ mod p such that 

f (j) — i) 

dist P) £i(c • g mod p, c • g mod p) > (1 - £) ■ — - — . 

Proof. Set <5 = f ff ■ (p - l)/2] , and take any d in the set - <5 + 1, . . . , + <j} of size 25. 

Set c = d ■ D(g — g') -1 mod p. Then 

c(g - 50IT 1 = d ■ D(g - g')-\g - g^D' 1 = d mod p. 
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So, 



dist Pi £>(c • 9 mod p, c ■ g' mod p) 



min{c(g — g')D 1 mod p, c(g' — g)D 1 mod p} 
(p-1) 



min{d, p — d} > 



5 + 1, 



completing the proof. 



Lemma 15. Fix a prime p > 5, an integer k < p/4, and e > Set I? 



/or any D-APs A±, . . . , C Z p , we have 
Proof. By Lemma [6l 



< e 



(p-i) 



p-3- 
+ 1. 



i=l 



mm < p, 



i=l 



Observe that < [-fe] < -fe + 1. Therefore, 



2kp 



□ 

< p. Then 



i=l 



i=l 



< 



kpe{p — 3) 
2kp 



+ k - k + 1 < 



e(p - 1) 



+ 1, 



completing the proof. 



□ 



Theorem 16. There is a universal constant C such that for any prime p, positive integer k, and 
e 6 (0, 1), there is a k-party, one-round protocol for Sum-Equal over Z p using public randomness, 
with error at most e and communication complexity klogk/e + C ■ k. 

Proof. There is a trivial protocol with communication complexity k ■ [log p] , so the theorem is true 
if P < 5 or k > p/4 or e < In what follows we therefore assume p > 5, k < p/4, and e > 

The protocol for solving Sum-Equal is as follows. Set D as in Lemma [T5l and use the public 
randomness to choose uniform c € Z p \ {0}. Party Pi, holding input Xi, computes 

bi = ((c • Xi) mod p) mod D 

and sends bi to the coordinator. The coordinator outputs 1 if c • g modp is in X/£=i^-(i>i)> an d 
outputs 1 otherwise. 

If J2i x i = 9 mod p then ^ c ■ Xi = c ■ g mod p and the coordinator always outputs the correct 
answer 1. Now say Y2i x i = sf 9 m °d p. Then c • g' mod p is in ^(h) ■ Using Lemma \TE\ we 

have |X)t-^-(b»)| < e (P ~~ + 1- Using Lemma [T4"l with probability at least £ = 1 — e we have 
dist P) £)(c • g mod p, c- g' mod p) > e(p — l)/2. Assuming that to be the case, we have 

dist Pi D(c • g modp, c • g' modp) > |X)i^(6»)| 

(note that both sides of the above are integers), and so we conclude from Corollary [9] that c-g mod p 
is not in ^2iA^.y We thus see that with probability at least 1 — e the coordinator outputs the 
correct answer 0. 

The communication complexity is exactly k • [log I?] bits. Since D < +1 < C ■ k/e for 

some constant C" independent of p, fc, and e, this completes the proof. □ 
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5 Protocols Over Z and Z^r 



In what follows, we show how to modify our protocols to work over the integers and in Z^r for 
square-free N. 

Protocol over Z. Working over Z is relatively easy. The parties are given inputs in {0, . . . , 2 n — 1}. 
The maximum sum of all the inputs is k2 n , and the "target values" are at most that also. The 
parties choose the smallest prime p > k2 n , treat their inputs as lying in Z p , and run the protocol 
for Z p . Note that Y2i x % = 9 over the integers iff Y2i x i = 9 mod p by our choice of p. 

Protocol over Zjv- Assume N is square-free, and let N = YYlLiPi De the prime factorization 
of N. The parties can then work modulo each of the pi, and rely on the Chinese remainder theorem 
for correctness. The complexity of the protocol scales with the number of prime factors m. 

This research was sponsored by the Army Research Laboratory and was accomplished under Cooperative 
Agreement Number W91 INF- 11-2-0086. The views and conclusions contained in this document are those of 
the authors and should not be interpreted as representing the official policies, either expressed or implied, of 
the Army Research Laboratory or the U.S. Government. The U.S. Government is authorized to reproduce 
and distribute reprints for Government purposes notwithstanding any copyright notation herein. 
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